Master key hack puts millions of hotel room doors at risk

Researchers from the security firm F-Secure has developed a master key that can pull off data from the hotel key cards and use it to unlock the door. Whether the keys are functional or expired, this device can clone them.

“It can be your own room key, a cleaning staff key, even to the garage or workout facility,” F-Secure’s Tomi Tuominen told Gizmodo. “We can even do it in an elevator if you have your key in your front pocket; we can just clone it from there.”

The researchers started to work on this device in 2003 when their colleague’s laptop was stolen. The hotel staff dismissed the incident as there was no sign of forced entry. According to the security researchers, the vulnerability was in the lock system’s software Vision, developed by VingCard, the company that is now owned by Assa Abloy. Alarmingly, the system they targeted is reportedly used in more than 42,000 properties in 166 countries.

The good news is, right now, no one else is performing this particular attack. The researchers aren’t going to make the attack tools available. Besides, they notified Assa Abloy of the findings and have worked together to develop a fix of the vulnerabilities exploited by the master key device.

“Because of their diligence and willingness to address the problems identified by our research, the hospitality world is now a safer place,” said Tuominen thanking Assa Abloy. “We urge any establishment using this software to apply the update as soon as possible.”

The researchers developed a software patch and urged the hotel to update their software. The hotel rooms will no longer be vulnerable to hack once the patch is applied.